10 security tips your account holders need to hear

As you gear up for Cyber Security Awareness Month, consider sharing these ten tips with your account holders

As we move into Cyber Security Awareness Month, we’ve assembled a list of security awareness tips that should be top of mind for account holders doing any type of online banking, or even just accessing the Internet in general. Many of these are likely things you have heard before, but a little repetition can go a long way. As you gear up for Cyber Security Awareness Month, consider sharing these ten tips with your account holders:

  1. Take infections seriously; a virus may not just be a virus. Most of us, if we’re honest, have probably been guilty of thinking that if our PC gets infected with something, it’s not that big of a deal—that’s what our IT department is for, after all. They’ll have whatever the latest nasty bug we’ve contracted wiped from our machine and we’ll be back on track in no time… right? Wrong. These things are not named after scary critters for no reason—they are serious and have serious implications. Think about the effect financial malware can have on your personal finances or to your small business’s network immediately upon download.
  2. Control access to your machine. Think twice before walking away from your computer to get that third cup of coffee without first locking it. Even worse is leaving your machine unattended in public, or in the backseat of your car during happy hour. Malicious physical access to devices can be an overlooked attack vector. It’s amazing how quickly files can be dumped or unintended access to sensitive information gained during a quick few minutes away from your machine.
  3. Trust but verify: if it sounds too good to be true, it probably is. Don’t fall prey to schemes that play on your natural inclination to trust. Being trusting is not necessarily a bad thing, but it’s important to verify before taking action. Be wary of things like employment offers to make a quick buck, claims that you are a lucky winner of something, or limited time offers to cash in on an opportunity. Simply put: if it sounds too good to be true, don’t be too quick to believe it.
  4. Don’t use insecure Wi-Fi or unknown machines for banking. Sensitive online activity, such as online banking, should only be conducted from a device that belongs to you on a trusted network. Paying a few bills while you’re sipping your favorite latte at a local coffee shop may seem innocent enough, but what do you really know about others who are connected to that public Wi-Fi? Sniffing traffic on a public Wi-Fi connection can be shockingly simple, and can leave everything you are doing on that network free for the taking.
  5. “TMI” – Don’t overshare on social media. We may all be guilty of sharing too much information (TMI) at times. Don’t let social media be your outlet for sharing “TMI” about yourself to millions of people all over the world. Social media outlets are information gold-mines for anyone who may be looking to learn more about their next victim. Knowing where you vacation, the name of your pet, and your mother’s maiden name may come in quite handy for someone attempting to impersonate you.
  6. If you’ve got it, update it. If you don’t need it, delete it. Updating your software is not something you should do only when your machine slows to an unbearable crawl because it hasn’t been updated in months. Installing the latest versions of software ensures that what you are running has the latest security patches and keeps you protected. Update your software as soon as new releases are announced, and delete any unnecessary programs on your devices that you don’t need in day-to-day business. Installing lots of nonessential software just provides increased exposure points for you and your information.
  7. Scrutinize your email. Many of us comb through hundreds of emails every day, and clicking through and opening these emails is second nature. However, email is one of the most common attack vectors and is a quick and easy way for attackers to drop malware onto your PC or mobile device, or to trick you into providing sensitive information. Pay close attention to any emails that appear to come from slightly odd senders, and be extremely wary of any email requesting you to provide or confirm sensitive information. Your financial institution should never ask you to confirm or provide any type of personal information via email. Report suspicious emails to your employer and delete them completely without opening or clicking any contained links.
  8. Be mindful of what you plug in. Throwing files onto a USB drive can be a quick and easy way to share information. However, it’s also a quick and easy way to spread malware. Only plug removable media that you know and trust into your devices, and never share these storage devices amongst multiple parties.
  9. Knowledge really is power. When it comes to online banking, it pays to be in the know. Use your financial institution’s real time alerts to keep yourself aware of anything that is going on in your account that may not be normal. Setting these alerts to deliver to multiple targets (voice calls, SMS text messages, and email) can help ensure their safe and quick delivery. Notify your financial institution immediately if you receive an alert regarding activity you did not generate.
  10. Get away from the “that can’t happen to me” mindset and prepare yourself. Live by the adage that it’s better to be safe than sorry. Believing that “it can’t happen to you” is a very risky position to take. Educate yourself on security precautions that you can take to prevent yourself or your business from becoming a victim. Work to spread the word of online safety to your friends, colleagues and families and be proactive in putting security measures into place.


Cyber security and the threat landscape are constantly evolving, and keeping your institution and your account holders as secure as possible requires their participation. Use October to stress the importance of cyber security and remind your account holders of their own role in keeping themselves safe.

When trust turns sour: The threat of social engineering attacks to your institution

Tips to building a successful defense strategy

Hunter S. Thompson once said, “I am a generous man, by nature, and far more trusting than I should be. The real world is risky territory for people with generosity of spirit. Beware.”

This quote could not be truer or resonate more today, especially when discussing the topic of social engineering attacks in the financial sector.


“The real world is risky territory for people with generosity of spirit” is incredibly accurate if you think about it. The unfortunate truth is that, as humans, our natural inclination is to trust and to look for the good in people—particularly in the case of individuals working in customer service positions. Unfortunately, this makes us easy prey for fraudsters. Trusting, helpful human spirits are the low hanging fruit. Attacks aimed at humans don’t require an attacker to place malware on a device or inject anything into a browser—often all it takes is a simple phone call into the back office. With just a few nuggets of information about an end user, fraudsters often have all of the necessary tools to convince a financial institution’s (FI’s) employee to readily “help” them.

While we all would like to think that our staff will not fall for such schemes, I’d caution that the shift in transaction amounts occurring in such attacks are raising fewer and fewer eyebrows. Why? In many cases fraudsters are moving toward initiating smaller transactions—generally less than $10K—rather than high-dollar amount wires, so as not to gain unwanted attention. These smaller dollar amount transactions are bounced through multiple mule accounts before ultimately leaving the country.

Particularly where social engineering is concerned, we have seen a 63 percent increase in fraud cases reported to Q2, when comparing only the first quarter of this year to all of 2014. That’s a dramatic upsurge in just three months, as compared to
the prior 12.

At a high level, these reports consist of phone calls, faxes or emails into the back office attempting to generate transactions or change sensitive information on an end user’s account. And, with the amount of personal and company information available and accessible on the internet, the reality is that these scams are not difficult to pull off.

As we look to the future, a combination of factors will continue to contribute to fraudsters’ use of social engineering as an attack of choice, to name just a few:

  • The shift toward Europay, MasterCard and Visa (EMV), and the reduction of fraud via the reselling of reproduced cards.
  • The continued evolution of anomaly detection anti-fraud tools catching transactions generated online.
  • The fact that these attacks really are just too easy, as they rely simply on trusting human nature.


Building a successful defense strategy for these types of attacks ultimately comes down to consistent training and testing of employees’ reactions to a variety of challenging scenarios. The Q2 Security team has built a targeted, customized Social Engineering Testing service designed to pressure employees in scenarios we’ve seen used in actual fraud cases. The reality is that we truly don’t know how staff will react to these types of schemes until they are faced with the situation in a real-world scenario. Trust itself is not a bad thing, however, encouraging a culture of “trust, but verify” may just pay off in the long run.

What cyber security lessons were learned in 2014?

Arguably, 2014 will be remembered as a year that left its mark on the state of cyber security across the industry. From massive retail data breaches to cyber attacks waged by nation states against organizations, the widespread impacts led to unprecedented repercussions. These types of attacks can cause brand damage, increased audit scrutiny and significant loss of market share. Let’s take a closer look at what we saw in 2014.

Massive Retail Breaches

2014 was a record year for retail data breaches – at least in terms of number of records lost. Between Home Depot, Target and JP Morgan Chase, nearly every American felt the impact in some way, shape, or form. And while the large retailers occupied the mainstream headlines, a slew of small and mid-size retailers experienced similar breaches. POS (Point-of-Sale) systems became a popular target for criminals, as they obviously play a significant role in processing financial transactions. This, coupled with the increased demand for stolen credit cards, had a significant impact on the surge of malware targeting POS systems. Until merchants and manufactures get serious about securing these terminals and their networks, they will remain a rich target for cyber criminals.

Sophisticated Banking Trojans

An underground market once dominated by ZeuS, Carberp, Citadel and SpyEye has given birth to more advanced variants and copycats boasting additional functionality and capabilities. In 2013 nearly a million new banking malware variants were uncovered, which more than doubled the volume of the previous year.  Institutions amped up their security to protect against these threats, but the rise of banking malware continued into 2014 as fraudsters tried to stay one step ahead. Last year we were introduced to Kronos, Emotet, Dridex and Dyre. Although core functionality (e.g. stealing online banking credentials) still existed, these newer variants included enhancements in the form of anti-detection techniques and intelligent communication mechanisms.

Surges in Crypto-malware

Researchers observed a global surge in the occurrence of crypto-malware families such as CryptolockerCryptodefense and Cryptowall. Cryptomalware is a particularly sinister threat that encrypts data on a compromised device and then attempts to extort money from the victim in order to have the data decrypted. Across the world, we watched as crypto-malware targeted a wide range of victims, from state governments to small towns, and large corporations to the average consumer. Faced with really no other option, most victims reluctantly paid the demanded ransom, crossing their fingers and blindly trusting their data would be restored. Unfortunately, this wasn’t always the outcome.

Attacks Aimed at the Weakest Link

The threat of attack directed towards the human element of security had been predicted. Frankly, it continues to prove to be the easiest path of resistance and yields a high rate of success. Attackers are no longer “throwing the kitchen sink” in hope the victim bites at the phish. Instead, techniques evolved as social engineering efforts became more specially crafted, targeting the victim in a manner that increased the chance the victim would divulge information or perform actions that would be unlikely in ordinary circumstances. Well-planned attempts targeted the back office at financial institutions, and fraudsters impersonated legitimate customers and coerced victimized employees into approving fraudulent transactions.

2015 and Beyond

So, what does 2015 have in store? Not surprisingly, we should probably be hedging our bets towards more of the same. However, I strongly believe institutions can tip the scale of power in their favor. Security requires vigilance and accountability. The threats we face are too pervasive to allow us to believe we can prevent them all. Financial institutions must leverage the right technology solutions that not only help defend against these threats, but also provide real-time detection. Ideally, these solutions can improve our ability to not only respond, but also remediate all types of attack. Tipping the scale, we greatly improve our chances for winning this ongoing fight.

Heightened FI Accountability Should Fuel Relationship Resurgence among Commercial Clients

The recent TRC Operating Co. Inc. case is only one of several creating a ripple of increased fraud awareness across businesses and their financial institutions (FIs). While it takes the vested interest of both parties to assess risk, build the fortress, and maintain safe-keeping, who’s to blame when security is compromised?

TRC’s claim of  strictly being offered a username and password – and no further security controls – ultimately resulted in a $350K settlement paid by United Security Bank. So where is the line drawn?

Businesses do not receive the same protection against cyber fraud that are afforded to consumer banking customers under Reg E. While commercial customers are typically provided enhanced security solutions, they do not receive the loss protection piece that retail account holders do – limits losses to $50, if reported within two day. As such, it’s on FIs to provide “commercially reasonable security procedures” to their business clients.

Username and password clearly do not cut the mustard as a standalone security control for commercial customers – or for that matter, any customer. Institutions are not just accountable to provide strong security options; when litigation arises, they are now being asked to prove they have attempted to offer these solutions to customers, who can then decide their own fate. This was evidenced in the recent court ruling in St. Louis that found Missouri-based title company Choice Escrow responsible for over $400K in fraud losses, after it declined [in writing] to use the security controls offered by its bank.

That being said, fraud fault does not automatically fall on FIs alone. In reality the term “commercially reasonable” when referencing security procedures is subjective. Therein the shroud of blame should be shared – and preferably prevented or squashed through tightened business/banking partnerships.

In lieu of the recent lawsuits making headlines, business owners must remain vigilant and aware of the clear and present dangers that exist, and FIs must impart themselves as the trusted advisor. To help diminish some ambiguity for business and banking partners, the UCC provides the below guidelines as to the determining factors of the “commercial reasonableness” of a security procedure:

  • What are the wishes of the customer expressed to the FI?
  • What are the circumstances of the customer known to the bank – including size, type, and frequency of payment orders normally issued by the customer to the bank?
  • What are the alternative security procedures offered to the customer?
  • What security procedures in general use by customers and receiving banks can be updated?

While “commercially reasonable” will continue to evolve with the landscape, FIs need to make the leap to a proactive security approach. Not to mention, strengthening the relationships among FIs and their commercial customers will only reinforce the barriers we’re all building against potential fraudsters.

Combatting Fraudsters

What is the right approach as the attack landscape changes?

I often get asked about my thoughts on banking from mobile devices. There’s no doubt about it: increasing demand for banking on mobile devices has become a critical component of most financial institutions’ (FIs’) offering. But my concern is that I don’t think FIs or account holders fully appreciate the potential risks of banking on mobile devices. Risks that as a CSO, I see or hear about every day.

I know a lot of industry folk claim that security professionals often hyperbolize about mobile banking threats. But here is the reality: surprisingly many mobile banking applications are often designed without proper security controls built in. Even worse, perhaps the underlying mobile operating system has flaws in its design. Look no further than the recent Apple iOS security vulnerability as an example (oh by the way, make sure to get the latest iOS update for you iPhone users). And even when the apps have proper built-in security, it may not be enough. Why? Well, as we deploy more sophisticated controls, fraudsters also adapt their techniques. Couple insufficient security with the proliferation of malware attacking mobile devices, and you have a threat that is very real and will continue to grow, evolving from running up bogus charges from cellular carriers—which is minor in comparison—to the potential of credential-stealing and theft of financial data.

Theft of financial data from mobile devices, you ask? You bet. One of the methods we are beginning to see it is through the use of malicious quick reader (QR) codes. For example, fraudsters create fake ones to convince account holders to download “new security software” from their FI. What really happens is the account holder downloads malware onto their mobile device, which then waits to intercept an out-of-band (OOB) SMS one-time-password (OTP). Once obtained, fraudsters can login as the account holder or potentially use to approve a financial transaction. Yep, from the same out-of-band SMS OTPs that we all believe to be a secure method for countering attacks. And this is just one example.

But with the right approach, I know we can defeat fraudsters. This is why I’m so passionate with FIs about establishing a multi-layered security strategy, which focuses on the entire banking session, from login and authentication thru transaction submission. In the face of a myriad of threats, layered controls should be deployed to ensure a secure banking experience. Examples include the use of OOB OTPs and tokens, behavioral modeling to detect and prevent anomalies, multi-factor authentication, and the use of dual controls.

Why layered controls? This approach ensures the weakness of one control is compensated by the strength of another. And of course, these controls cannot be set and forgotten. They must be revisted as the attack landscape changes. My question to you: Is your FI investigating or using a multi-layered security approach? Implementing such a strategy will go a long way towards mitigating threats.

Check out the most recent issue of Credit Union Magazine where my fellow security colleagues and I further discuss combatting mobile threats.